How to find decrypt key for cocos2djs?

how to decompile jsc file
Few days ago, i got many apps which compiled by Cocos2d-js Framework. If you followed our website, you will know that i have ever posted a tutorial for Cocos2djs game.
 
 
But if the game which i got is similiar with the tutorial, i will not post this tutorial. 
 
Target: Kungfu Hospital
 
You can download the example apps to practice.
 

What is the problem with this game?

For sure, this game is using javascript. And you can mod it by modifying file js. But the problem is “File js was encrypted.”. And they are “jsc” file.”
 

What is Cocos2d-x?

Cocos2d-x is a mature open source cross-platform game development framework that supports 2D and 3D game creation. The engine provides rich functions such as graphics rendering, GUI, audio, network, physics, user input, etc., and is widely used in game development and interactive application construction. Its core is written in C++ and supports development in C++, Lua or JavaScript. Cocos2d-x deploys to iOS, Android, HTML5, Windows and Mac systems with features focused on native mobile platforms. 

What is a JSC file?

JSC files mostly belong to JavaScript by Mozilla Foundation. JSC is a compiled script file for JavaScript, which is a programming language. JavaScript was developed by Brendan Eich for Netscape, and is now maintained by Mozilla Foundation and Ecma International. The purpose of compiling JavaScript is to obfuscate and protect client-side source code, although the effectiveness of the method is questionable.

Let’s Play

First, i found a lot of decrypted information on internet. And most of them are “Sharing tool to decrypt.”. But the things which is very important is decrypt key. And you cannot find the tutorial or anything else about “How to reverse and find the key
 
After researching and learning from internet, here is the encrypted process:
 
Mainly there are these types of encrypted:
 
  1. XXTEA
  2. XXTEA + ZIP
  3. XXTEA + GZIP
And there are lot of tools on internet. But i am sure that most of them are useless. So, you can download my code for using.
The process will be: When you run the game, it will call the function from libcoco2djs.so to decrypt jsc file. And then, everything will be normal.
To decrypt the jsc file. You have to use xxtea decrypt with the encrypted key.
There are 2 way to get the key:
  1. Reverse the libcoco2djs.so
  2. Write a hook and when the game call xxdecrypt function, we will get the key.
In this tutorial, we will follow the solution 1. Load the libcoco2djs.so to IDA Pro and open exports. We know that coco2dx use XXTea crypto to encrypt the file. So, we will try to search with “xxtea” by pressing ctr-f.
IDA Export XXTea
IDA Export XXTea

You can see there is a function with name “jsb_set_xxtea_key

Searching information from Cocos Creator and we found this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
bool AppDelegate::applicationDidFinishLaunching()
{


    SDKManager::getInstance()->loadAllPlugins();


    // initialize director
    auto director = Director::getInstance();
    auto glview = director->getOpenGLView();
    if(!glview) {


        glview = GLViewImpl::create("SCMJ");


        glview = GLViewImpl::createWithRect("SCMJ", cocos2d::Rect(0,0,900,640));


        director->setOpenGLView(glview);
    }
    
    // set FPS. the default value is 1.0/60 if you don't call this
    director->setAnimationInterval(1.0 / 60);

    ScriptingCore* sc = ScriptingCore::getInstance();
    ScriptEngineManager::getInstance()->setScriptEngine(sc);

    se::ScriptEngine* se = se::ScriptEngine::getInstance();

    jsb_set_xxtea_key("0d948dcc-c014-46");
    jsb_init_file_operation_delegate();


    // Enable debugger here
    jsb_enable_debugger("0.0.0.0", 5086);



    se->setExceptionCallback([](const char* location, const char* message, const char* stack){
        // Send exception information to server like Tencent Bugly.

    });

    jsb_register_all_modules();


    se->addRegisterCallback(register_all_anysdk_framework);
    se->addRegisterCallback(register_all_anysdk_manual);



    se->start();

    jsb_run_script("main.js");

    return true;
}

Here is exactly the function what we need to find the key. Double click to this function and we are here.

set_xxx_key

Click to Code XREF to find the parrent function which called it. We will need to repeat 2 times. And we will be here.

AppDelegate::applicationDidFinishLaunching

Exactly, look for the name of function:

AppDelegate::applicationDidFinishLaunching

And it is exact with the thing from Coco Creator information. So this function will need a key. It means key will be stored from code above. Scroll up to find it.

explain the code before set key

In some app, the key will be stored very easily. By the String.

Example: Key = “AlexRaymond”. And you will find it clearly. But in this app, the key was split and stored complexly. And in the picture, i explained how to read the code and what is the key.

In this app, the key will be: yiguangp

Now you can decrypt the jsc file in this app with our attached code above.

Note from editor: If you try to ask someone on other forums, like MIKA from platimod and someone from iosgod… bla bla. The things you will be received is “No, there is no way to find it. The only way is you have to be an expert C++”. But the real is “That is private method, sorry, we cannot share you.”. Why? Because they afraid that if you know the method, you will do better than them.

About the 2nd method: You can use FRIDA and write the script to get the key. It will be very easily. Here is the script for using with FRIDA.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
Java. perform ( function ( ) {
    let xxtea_decryptaddr = Module. findExportByName ( "libcocos2djs.so" , "xxtea_decrypt" ) ;
        console . log ( "[xxtea_decryptAddr]-> " ,xxtea_decryptaddr ) ;
        Interceptor. attach ( xxtea_decryptaddr, {
            onEnter: function ( args ) {  
                console . log ( "[key]-> " + args [ 2 ] . readCString ( ) ) // print Key 
            } ,
            onLeave: function ( retval ) {  
            }
        } )
} )

This script will hook libcocos2djs.so in xxtea_decryptfunction, to give xxtea_key.

There are lot of shared script from here: